Debian LTS: DLA-3265-1: exiv2 security update | LinuxSecurity.com
-------------------------------------------------------------------------
Debian LTS Advisory DLA-3265-1                [email protected]
https://www.debian.org/lts/security/                        Helmut Grohne
January 10, 2023                              https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : exiv2
Version        : 0.25-4+deb10u4
CVE ID         : CVE-2017-11591 CVE-2017-14859 CVE-2017-14862 CVE-2017-14864
                 CVE-2017-17669 CVE-2017-18005 CVE-2018-8976 CVE-2018-17581
                 CVE-2018-19107 CVE-2018-19108 CVE-2018-19535 CVE-2018-20097
                 CVE-2019-13110 CVE-2019-13112 CVE-2019-13114 CVE-2019-13504
                 CVE-2019-14369 CVE-2019-14370 CVE-2019-17402 CVE-2020-18771
                 CVE-2021-29458 CVE-2021-32815 CVE-2021-34334 CVE-2021-37620
                 CVE-2021-37621 CVE-2021-37622
Debian Bug     : 876893 885981 886006 903813 910060 913272 913273 915135
                 932467 946341 987277 992705 992706

This update fixes a number of memory access violations and other input
validation failures that can be triggered by passing specially crafted files to
exiv2.

CVE-2017-11591

    There is a Floating point exception in the Exiv2::ValueType function that
    will lead to a remote denial of service attack via crafted input.

CVE-2017-14859

    An Invalid memory address dereference was discovered in
    Exiv2::StringValueBase::read in value.cpp. The vulnerability causes a
    segmentation fault and application crash, which leads to denial of service.

CVE-2017-14862

    An Invalid memory address dereference was discovered in
    Exiv2::DataValue::read in value.cpp. The vulnerability causes a
    segmentation fault and application crash, which leads to denial of service.

CVE-2017-14864

    An Invalid memory address dereference was discovered in Exiv2::getULong in
    types.cpp. The vulnerability causes a segmentation fault and application
    crash, which leads to denial of service.

CVE-2017-17669

    There is a heap-based buffer over-read in the
    Exiv2::Internal::PngChunk::keyTXTChunk function of pngchunk_int.cpp. A
    crafted PNG file will lead to a remote denial of service attack.

CVE-2017-18005

    Exiv2 has a Null Pointer Dereference in the Exiv2::DataValue::toLong
    function in value.cpp, related to crafted metadata in a TIFF file.

CVE-2018-8976

    jpgimage.cpp allows remote attackers to cause a denial of service
    (image.cpp Exiv2::Internal::stringFormat out-of-bounds read) via a crafted
    file.

CVE-2018-17581

    CiffDirectory::readDirectory() at crwimage_int.cpp has excessive stack
    consumption due to a recursive function, leading to Denial of service.

CVE-2018-19107

    Exiv2::IptcParser::decode in iptc.cpp (called from psdimage.cpp in the PSD
    image reader) may suffer from a denial of service (heap-based buffer
    over-read) caused by an integer overflow via a crafted PSD image file.

CVE-2018-19108

    Exiv2::PsdImage::readMetadata in psdimage.cpp in the PSD image reader may
    suffer from a denial of service (infinite loop) caused by an integer
    overflow via a crafted PSD image file.

CVE-2018-19535

    PngChunk::readRawProfile in pngchunk_int.cpp may cause a denial of service
    (application crash due to a heap-based buffer over-read) via a crafted PNG
    file.

CVE-2018-20097

    There is a SEGV in Exiv2::Internal::TiffParserWorker::findPrimaryGroups of
    tiffimage_int.cpp. A crafted input will lead to a remote denial of service
    attack.

CVE-2019-13110

    A CiffDirectory::readDirectory integer overflow and out-of-bounds read
    allows an attacker to cause a denial of service (SIGSEGV) via a crafted CRW
    image file.

CVE-2019-13112

    A PngChunk::parseChunkContent uncontrolled memory allocation allows an
    attacker to cause a denial of service (crash due to an std::bad_alloc
    exception) via a crafted PNG image file.

CVE-2019-13114

    http.c allows a malicious http server to cause a denial of service (crash
    due to a NULL pointer dereference) by returning a crafted response that
    lacks a space character.

CVE-2019-13504

    There is an out-of-bounds read in Exiv2::MrwImage::readMetadata in
    mrwimage.cpp.

CVE-2019-14369

    Exiv2::PngImage::readMetadata() in pngimage.cpp allows attackers to cause a
    denial of service (heap-based buffer over- read) via a crafted image file.

CVE-2019-14370

    There is an out-of-bounds read in Exiv2::MrwImage::readMetadata() in
    mrwimage.cpp. It could result in denial of service.

CVE-2019-17402

    Exiv2 allows attackers to trigger a crash in Exiv2::getULong in types.cpp
    when called from Exiv2::Internal::CiffDirectory::readDirectory in
    crwimage_int.cpp, because there is no validation of the relationship of the
    total size to the offset and size.

CVE-2020-18771

    Exiv2 has a global buffer over-read in
    Exiv2::Internal::Nikon1MakerNote::print0x0088 in nikonmn_int.cpp which can
    result in an information leak.

CVE-2021-29458

    An out-of-bounds read was found in Exiv2. The out-of- bounds read is
    triggered when Exiv2 is used to write metadata into a crafted image file.
    An attacker could potentially exploit the vulnerability to cause a denial
    of service by crashing Exiv2, if they can trick the victim into running
    Exiv2 on a crafted image file. Note that this bug is only triggered when
    writing the metadata, which is a less frequently used Exiv2 operation than
    reading the metadata. For example, to trigger the bug in the Exiv2
    command-line application, you need to add an extra command-line argument
    such as insert.

CVE-2021-32815

    The assertion
    failure is triggered when Exiv2 is used to modify the metadata of a
    crafted image file. An attacker could potentially exploit the
    vulnerability to cause a denial of service, if they can trick the
    victim into running Exiv2 on a crafted image file. Note that this bug
    is only triggered when modifying the metadata, which is a less
    frequently used Exiv2 operation than reading the metadata. For
    example, to trigger the bug in the Exiv2 command-line application, you
    need to add an extra command-line argument such as `fi`.

CVE-2021-34334

    An infinite loop is triggered when Exiv2 is used to read the metadata of a
    crafted image file. An attacker could potentially exploit the vulnerability
    to cause a denial of service, if they can trick the victim into running
    Exiv2 on a crafted image file.

CVE-2021-37620

    An out-of-bounds read is triggered when Exiv2 is used to read the metadata
    of a crafted image file. An attacker could potentially exploit the
    vulnerability to cause a denial of service, if they can trick the victim
    into running Exiv2 on a crafted image file.

CVE-2021-37621

    An infinite loop is triggered when Exiv2 is used to print the metadata of a
    crafted image file. An attacker could potentially exploit the vulnerability
    to cause a denial of service, if they can trick the victim into running
    Exiv2 on a crafted image file. Note that this bug is only triggered when
    printing the image ICC profile, which is a less frequently used Exiv2
    operation that requires an extra command line option (`-p C`).

CVE-2021-37622

    An infinite loop is triggered when Exiv2 is used to modify the metadata of
    a crafted image file. An attacker could potentially exploit the
    vulnerability to cause a denial of service, if they can trick the victim
    into running Exiv2 on a crafted image file. Note that this bug is only
    triggered when deleting the IPTC data, which is a less frequently used
    Exiv2 operation that requires an extra command line option (`-d I rm`).

For Debian 10 buster, these problems have been fixed in version
0.25-4+deb10u4.

We recommend that you upgrade your exiv2 packages.

For the detailed security status of exiv2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/exiv2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Debian LTS: DLA-3265-1: exiv2 security update

January 10, 2023
This update fixes a number of memory access violations and other input validation failures that can be triggered by passing specially crafted files to exiv2

Summary

CVE-2017-11591

There is a Floating point exception in the Exiv2::ValueType function that
will lead to a remote denial of service attack via crafted input.

CVE-2017-14859

An Invalid memory address dereference was discovered in
Exiv2::StringValueBase::read in value.cpp. The vulnerability causes a
segmentation fault and application crash, which leads to denial of service.

CVE-2017-14862

An Invalid memory address dereference was discovered in
Exiv2::DataValue::read in value.cpp. The vulnerability causes a
segmentation fault and application crash, which leads to denial of service.

CVE-2017-14864

An Invalid memory address dereference was discovered in Exiv2::getULong in
types.cpp. The vulnerability causes a segmentation fault and application
crash, which leads to denial of service.

CVE-2017-17669

There is a heap-based buffer over-read in the
Exiv2::Internal::PngChunk::keyTXTChunk function of pngchunk_int.cpp. A
crafted PNG file will lead to a remote denial of service attack.

CVE-2017-18005

Exiv2 has a Null Pointer Dereference in the Exiv2::DataValue::toLong
function in value.cpp, related to crafted metadata in a TIFF file.

CVE-2018-8976

jpgimage.cpp allows remote attackers to cause a denial of service
(image.cpp Exiv2::Internal::stringFormat out-of-bounds read) via a crafted
file.

CVE-2018-17581

CiffDirectory::readDirectory() at crwimage_int.cpp has excessive stack
consumption due to a recursive function, leading to Denial of service.

CVE-2018-19107

Exiv2::IptcParser::decode in iptc.cpp (called from psdimage.cpp in the PSD
image reader) may suffer from a denial of service (heap-based buffer
over-read) caused by an integer overflow via a crafted PSD image file.

CVE-2018-19108

Exiv2::PsdImage::readMetadata in psdimage.cpp in the PSD image reader may
suffer from a denial of service (infinite loop) caused by an integer
overflow via a crafted PSD image file.

CVE-2018-19535

PngChunk::readRawProfile in pngchunk_int.cpp may cause a denial of service
(application crash due to a heap-based buffer over-read) via a crafted PNG
file.

CVE-2018-20097

There is a SEGV in Exiv2::Internal::TiffParserWorker::findPrimaryGroups of
tiffimage_int.cpp. A crafted input will lead to a remote denial of service
attack.

CVE-2019-13110

A CiffDirectory::readDirectory integer overflow and out-of-bounds read
allows an attacker to cause a denial of service (SIGSEGV) via a crafted CRW
image file.

CVE-2019-13112

A PngChunk::parseChunkContent uncontrolled memory allocation allows an
attacker to cause a denial of service (crash due to an std::bad_alloc
exception) via a crafted PNG image file.

CVE-2019-13114

http.c allows a malicious http server to cause a denial of service (crash
due to a NULL pointer dereference) by returning a crafted response that
lacks a space character.

CVE-2019-13504

There is an out-of-bounds read in Exiv2::MrwImage::readMetadata in
mrwimage.cpp.

CVE-2019-14369

Exiv2::PngImage::readMetadata() in pngimage.cpp allows attackers to cause a
denial of service (heap-based buffer over- read) via a crafted image file.

CVE-2019-14370

There is an out-of-bounds read in Exiv2::MrwImage::readMetadata() in
mrwimage.cpp. It could result in denial of service.

CVE-2019-17402

Exiv2 allows attackers to trigger a crash in Exiv2::getULong in types.cpp
when called from Exiv2::Internal::CiffDirectory::readDirectory in
crwimage_int.cpp, because there is no validation of the relationship of the
total size to the offset and size.

CVE-2020-18771

Exiv2 has a global buffer over-read in
Exiv2::Internal::Nikon1MakerNote::print0x0088 in nikonmn_int.cpp which can
result in an information leak.

CVE-2021-29458

An out-of-bounds read was found in Exiv2. The out-of- bounds read is
triggered when Exiv2 is used to write metadata into a crafted image file.
An attacker could potentially exploit the vulnerability to cause a denial
of service by crashing Exiv2, if they can trick the victim into running
Exiv2 on a crafted image file. Note that this bug is only triggered when
writing the metadata, which is a less frequently used Exiv2 operation than
reading the metadata. For example, to trigger the bug in the Exiv2
command-line application, you need to add an extra command-line argument
such as insert.

CVE-2021-32815

The assertion
failure is triggered when Exiv2 is used to modify the metadata of a
crafted image file. An attacker could potentially exploit the
vulnerability to cause a denial of service, if they can trick the
victim into running Exiv2 on a crafted image file. Note that this bug
is only triggered when modifying the metadata, which is a less
frequently used Exiv2 operation than reading the metadata. For
example, to trigger the bug in the Exiv2 command-line application, you
need to add an extra command-line argument such as `fi`.

CVE-2021-34334

An infinite loop is triggered when Exiv2 is used to read the metadata of a
crafted image file. An attacker could potentially exploit the vulnerability
to cause a denial of service, if they can trick the victim into running
Exiv2 on a crafted image file.

CVE-2021-37620

An out-of-bounds read is triggered when Exiv2 is used to read the metadata
of a crafted image file. An attacker could potentially exploit the
vulnerability to cause a denial of service, if they can trick the victim
into running Exiv2 on a crafted image file.

CVE-2021-37621

An infinite loop is triggered when Exiv2 is used to print the metadata of a
crafted image file. An attacker could potentially exploit the vulnerability
to cause a denial of service, if they can trick the victim into running
Exiv2 on a crafted image file. Note that this bug is only triggered when
printing the image ICC profile, which is a less frequently used Exiv2
operation that requires an extra command line option (`-p C`).

CVE-2021-37622

An infinite loop is triggered when Exiv2 is used to modify the metadata of
a crafted image file. An attacker could potentially exploit the
vulnerability to cause a denial of service, if they can trick the victim
into running Exiv2 on a crafted image file. Note that this bug is only
triggered when deleting the IPTC data, which is a less frequently used
Exiv2 operation that requires an extra command line option (`-d I rm`).

For Debian 10 buster, these problems have been fixed in version
0.25-4+deb10u4.

We recommend that you upgrade your exiv2 packages.

For the detailed security status of exiv2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/exiv2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Severity
Package : exiv2
Version : 0.25-4+deb10u4
CVE ID : CVE-2017-11591 CVE-2017-14859 CVE-2017-14862 CVE-2017-14864
Debian Bug : 876893 885981 886006 903813 910060 913272 913273 915135

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.